Introduction
Recent cybersecurity developments have revealed the emergence of two new Linux backdoors, WolfsBane and FireWood [2] [3] [4] [9] [10] [12], attributed to the Gelsemium Advanced Persistent Threat (APT) group [3] [8] [9] [12]. This group, with a decade-long history of cyber-espionage, is believed to be aligned with China. The discovery marks a significant shift in Gelsemium’s operational strategy, as it is the first public report of their use of Linux malware. This trend highlights a broader movement among APT groups to target Linux systems, which are often less protected compared to their Windows counterparts.
Description
Recent discoveries have unveiled two new Linux backdoors, WolfsBane and FireWood [2] [3] [4] [9] [10] [12], attributed with high confidence to the Gelsemium Advanced Persistent Threat (APT) group [3] [7] [8], which has been active for over a decade and is aligned with China. This marks the first public report of Gelsemium utilizing Linux malware [3] [8] [9], reflecting a significant shift in their operational strategy. The group has a history of cyber-espionage activities targeting sensitive data, including system information [3] [5] [7] [8] [9] [10], user credentials [3] [5] [7] [8] [9], and specific files and directories [5] [8] [9], particularly in East and Southeast Asia, with notable activities in Taiwan, the Philippines [2] [4] [5] [6] [8] [10], and Singapore [1] [2] [4] [5] [6] [8] [10] [11], as well as entities in the Middle East. In March 2023 [5], cybersecurity firm ESET identified multiple Linux samples uploaded to VirusTotal from these regions [5], linking the discovery of WolfsBane [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] to incidents involving compromised servers. This trend underscores a broader movement among APT groups to target under-protected Linux systems due to enhanced security measures in Windows environments.
WolfsBane, assessed as the Linux counterpart to the previously recognized Windows malware Gelsevirine, which has been in use since 2014 [5], is specifically designed for long-term system access and data exfiltration. Its attack chain includes a dropper [8], launcher [1] [3] [6] [7] [8] [11], and a modified open-source userland rootkit [4] [6] [7] [8], employing advanced obfuscation techniques to conceal its activities and maintain access while focusing on sensitive data. By executing commands stealthily [3] [7] [9], WolfsBane facilitates prolonged intelligence gathering while evading detection [9].
FireWood [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12], another recently discovered Linux backdoor, is considered a continuation of the Project Wood malware lineage [4], which has evolved since its inception in 2005 [7]. While it shares similarities with WolfsBane, its exact relationship with Gelsemium remains ambiguous, leading to a low-confidence attribution [3] [6]. FireWood has previously been utilized in Operation TooHash and features typical backdoor capabilities along with a kernel-level rootkit. Both malware strains exploit vulnerabilities in public-facing Apache Tomcat servers [4], particularly in Java Web applications, to deploy web shells [4], enabling the installation of the backdoors and facilitating remote control of compromised servers.
The threat score associated with the Gelsemium APT group is high (8.5/10) [4], indicating a significant risk to critical infrastructure [4]. Their operations are linked through overlaps in code [12], infrastructure [4] [12], and targeting patterns observed in previous campaigns [12]. This highlights the increasing focus on Linux systems by professional hackers [10], driven by enhanced security solutions for Windows and the disabling of VBA macros [10]. Organizations are urged to reevaluate their security measures for Linux systems [4], prioritizing security updates [10], intrusion detection systems [10], and regular security audits to mitigate the risks posed by these sophisticated threats. The tools associated with Gelsemium underscore the importance of vigilance in cybersecurity practices, particularly for Linux-based systems [4]. For a detailed technical analysis of Gelsemium’s latest toolset, further resources are available online.
Conclusion
The emergence of WolfsBane and FireWood signifies a pivotal shift in the tactics of the Gelsemium APT group, underscoring the growing threat to Linux systems. As APT groups increasingly target these systems, organizations must enhance their cybersecurity measures, focusing on regular updates, robust intrusion detection [10], and comprehensive security audits. The high threat score associated with Gelsemium highlights the urgent need for vigilance and proactive defense strategies to protect critical infrastructure from sophisticated cyber threats.
References
[1] https://www.eset.com/nl/over/newsroom/persberichten-overzicht/persberichten/eset-research-ontdekt-wolfsbane-nieuwe-linux-cyberspionage-backdoor-door-het-aan-china-gelieerde-gelsemium/
[2] https://www.darkreading.com/threat-intelligence/chinese-apt-gelsemium-wolfsbane-linux-variant
[3] https://www.welivesecurity.com/en/eset-research/unveiling-wolfsbane-gelsemiums-linux-counterpart-to-gelsevirine/
[4] https://cybersecsentinel.com/gelsemium-apt-shifts-focus-to-linux-with-wolfsbane-backdoor/
[5] https://www.techepages.com/chinese-apt-gelsemium-targets-linux-systems-with-new-wolfsbane-backdoor/
[6] https://www.helpnetsecurity.com/2024/11/21/linux-backdoors-wolfsbane-firewood/
[7] https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-discovers-wolfsbane-new-linux-cyberespionage-backdoor-by-china-aligned-gelsemium/
[8] https://blog.eset.ie/2024/11/21/eset-research-discovers-wolfsbane-new-linux-cyberespionage-backdoor-by-gelsemium-apt/
[9] https://cybersecuritynews.com/gelsemium-apt-hackers-attacking-linux-servers/
[10] https://www.eset.com/de/about/presse/pressemitteilungen/pressemitteilungen/eset-entdeckt-neue-linux-backdoors-der-gelsemium-hackergruppe/
[11] https://www.emerce.nl/wire/eset-research-ontdekt-wolfsbane-nieuwe-linux-cyberspionage-backdoor-door-china-gelieerde-gelsemium
[12] https://www.infosecurity-magazine.com/news/linux-malware-wolfsbane-firewood/
